Issue #391 has been updated by Clément OUDOT.
Well seen. We can maybe add an option to allow to return such messages, else we will never say if the account exists or not. ---------------------------------------- Bug #391: Email based password reset allows brute force attack using wildcard * http://tools.lsc-project.org/issues/391 Author: Joe Campbell Status: New Priority: High Assigned to: Category: Self Service Password Target version: self-service-password-? The email based password reset allows an individual to test for user names to attack by using '*' wildcards. i.e. you can enter jc* in the username and it will return an error to you that indicates if it found a user name that matches by starting with the letters j and c. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
_______________________________________________ ltb-dev mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-dev
